Well, after mostly lurking on these forums for a while and reading tons of tutorials on game-hacking, I've finally decided to roll up my sleeves and give it a go with BF2.

I've read through all of Cal's tutorials (VERY helpful!) and countless threads on DMA stealing, code-caving, ASM coding, etc and have been fairly successful with wrapping my brain around Olly and TSearch.

That being said, I'm still curious about some things that haven't been made clear elsewhere. For example: I'm currently researching how to create a simple memory hack for BF2 which is guarded by teh evil PB. I know that PB scans the entire BF2.exe file and certain parts of the RendDX9.dll file for hinky coding -- this is where code-caving comes into play. Now this is one thing I'm having trouble with: if the entire BF2.exe file is scanned for changed code, how can I insert a jump to my cave?

Sticky Tags fascinates me because it was (somehow!) able to go undetected from PB for so long. I'd simply ask Cheetah how he/she did it but I'm learning from the ground up just like the rest (and the best.) There's no sense in having the answer and not knowing what to do with it.

So OK, forgetting about PB, I set a jump from RendDX9.dll to... say... binkw32.dll where my code-cave is, then jump back to the next line in the original code. I understand the concept and logic and it made sense to me after thinking about it for a while. Unfortunately testing this example provided no results; my hack didn't work.

So getting to most of the questions I am still seeking answers for:

Code-caving doesn't seem to work for me (at all) and I know it's because I'm missing something. I've followed Captain Cox's PowerPoint presentation and it's logic but I still seem to be missing something. I copy some areas of the code to the cave (like in the tutorial, a range of offsets that also includes the offset to be changed) and recode the code in the cave so it doesn't jump back to the original code. My problem here is that I often run into an offset that jumps to a LOT of information in the original code, which turns out to be way more code that needs to be copied into the cave... or so at-least I think. Hopefully that makes sense, it's hard trying to describe something I have very little knowledge of.

The next big question is: once I have the assembly code for everything... wtf do I do with it then? Put it into TSearch, I know that much. Going between TSearch and Olly is confusing for me because I know they both do the same thing but they go about it differently... or rather they show it to you differently.

I managed to create a nametag hack w/ TSearch and EasyWrite (which is pretty sweet) without code-caving, just did:
Offset XXXXXXX
<inserted changed code here>

Offset XXXXXXX
<insert original code here>

And POOF! It worked. It would never make it past PB though and that is my ultimate goal so please excuse my n00bishness as I'm very willing to learn.


Thanks for reading my long-ass post, I hope it kinda made sense. :knockedout:

I would suggest rethinking the whole idea of code caves. What is it you want to achieve? Map hack? Tag hack? Aimbot? All of these can be implemented without a single intervention into bf2 code, or any hooking for that matter. Think of it - everything in the game is controlled by variables. They can be read, they can be changed, their static base addresses can be found without code caving for the DMA.

cheers,
Sine

But if you can't find a variable to do what you want then function pointers are exploitable and no change of BF2 code is needed to get hacks like minimap / tags etc working.

But if you can't find a variable to do what you want then function pointers are exploitable and no change of BF2 code is needed to get hacks like minimap / tags etc working.

Yeah, object oriented programming works very well for cheaters :-)

Sine

I would suggest rethinking the whole idea of code caves. What is it you want to achieve? Map hack? Tag hack? Aimbot? All of these can be implemented without a single intervention into bf2 code, or any hooking for that matter. Think of it - everything in the game is controlled by variables. They can be read, they can be changed, their static base addresses can be found without code caving for the DMA.

cheers,
Sine

Are you talking about d3d hacks? If not Maybe a link or a little example would be helpful Im interested... thanks in advance.

What is it you want to achieve? Map hack? Tag hack? Aimbot?
I'm just interested in making something simple, like a tag hack, that I can work on hiding from PB via a code-cave (which is why I mentioned code caves.)

I don't want to bite off more than I can chew; coding an aimbot seems a little too advanced for me at this point.

...function pointers are exploitable and no change of BF2 code is needed to get hacks like minimap / tags etc working.

What are function pointers?


Thanks for the replies, fella's! I thought nobody would read my post since it ended up being so freakin' long! LOL

Are you talking about d3d hacks? If not Maybe a link or a little example would be helpful Im interested... thanks in advance.

No, no... D3D hacks make the game looks ugly - not my flavour. I am talking about relatively simple hacks based on data modification. By principle, if you read or write something that is intended to be written to or read, you are much more difficult to detect than when you modify something supposed to remain static.

Kosire, if I understand him correctly, points at changing v-tables. Which is somewhere in between, because although they are dynamic in all late-binding oo languages, legitimate v-table can be reconstructed by PB, and changes can be. ultimately, detected.

@ function tables: when object method's is being called, it is not a direct, hardcoded jump, but something like that:

mov edx, object reference
// .. parameters go on stack
call [[edx]+7*4h]

where 7 is index of seventh (virtual) method in that object. V-table (referenced by the first DWORD in the object, in VC++ and most languages I know) is created or modified at runtime, when object is instantiated. Hence, if you modify the table, you can hook. Some languages implementation, make it that every instance has its own Vtable, most, like vc++, have shared vtables for all objects of a given class.

Sine

hehe,i got the same problem as judas. but my game just crashes when i turn on my hack :(
code caving isnt difficult....you just have to be carefully.but i dont think that code caving will work in futer anylonger.PB becomes more glaringly and if your code cave becomes detected you just get GUID or HW banned...i start with D3d now....

i start with D3d now

Is d3d hacking more complicated compared to memory hacking?

But if you can't find a variable to do what you want then function pointers are exploitable and no change of BF2 code is needed to get hacks like minimap / tags etc working.

so then you inject your own .dll with the modified function code and then you change the function pointer to point to the location of you own function and this would work? is this what you mean?

never tried that directly-

best,
cal

Thanks Sine for the reply, still a bit above my head. New question, why arn't most hacks developed this way if its less likely to get detected. And how would one go about finding these variabls. Is it based on the same address, that you would normally nop, jmp, ect.

Yeah, object oriented programming works very well for cheaters :-)

Sine OK Sine to begin to grasp this approach of programming where would one start? And by start I mean for one with Zero knowledge. I was studying Cal's tut's and Alaxuls and this if I understand is an approach from an entirely different angle using all together different techniques and theories. correct? I dont want to confuse the issue and be all ^#@&* up trying to learn and fall victim to another GUID ban. I specifically want to make a Tag/ Aimbot hack for BF2 as well as a set of superman chams. I may be stting my goals high but I like the challenge. Thanks for the help

so then you inject your own .dll with the modified function code and then you change the function pointer to point to the location of you own function and this would work? is this what you mean?

never tried that directly-

best,
cal

Yes, its a slightly harder concept to grasp than codecaves and you need to be able to code in C++ well to implement it, but once you know what your doing its 100x faster than doing codecaves by hand.

As for PB detecting changes to the vTable, PB gets a pointer to the vTable by reading a static pointer at a set offset of code. Thats possibly exploitable. But also they are limited to check if the vTable points to within say d3d9.dll, so you could point it to a JMP in d3d9 which then jumps to the real function.

Hi,
sorry for my noobnes, but I have tried to poke with the Tsearch around and I have noticed that when I try to change a memory location value in the found results window, the Tsearch freezes. This is independent of a program that is, well, poked (so not only for BF2). On the other side if I try to change the values in the memory dump window, there is no problem. Is this a known bug or am I missing something?
I running the Tsearch 1.6b (from the mpc DL section), WIN XP Home, Intel Pentium IV 2.8 with 1 GB RAM.

Thanks :-)

danny

So DLL injection requires no modification of game code?

To Kosire

Yes, its a slightly harder concept to grasp than codecaves and you need to be able to code in C++ well to implement it, but once you know what your doing its 100x faster than doing codecaves by hand.

As for PB detecting changes to the vTable, PB gets a pointer to the vTable by reading a static pointer at a set offset of code. Thats possibly exploitable. But also they are limited to check if the vTable points to within say d3d9.dll, so you could point it to a JMP in d3d9 which then jumps to the real function.

yes, but for something like the minimap this wouldn't work. for instance, i have isolated the function for drawing infantry/vehicles onto the minimap. the code for this function is located within the bf2.exe at 761d20. there is only one call in the program that accesses this function and it is a direct call to the function (there isn't a virtual function call) and sot the call reads CALL 761d20. therefore the call is hard coded into the .exe and cannot be exploited in this way as best i understand it. i haven't tried this for tags, but i assume it WILL work there since this is a call to the .dll and not in the direct bf2 code.

have you gotten around this problem somehow with virtual functions? or perhaps you can PM me or explain to me a different way-

best,
cal

OK Sine to begin to grasp this approach of programming where would one start? And by start I mean for one with Zero knowledge. I was studying Cal's tut's and Alaxuls and this if I understand is an approach from an entirely different angle using all together different techniques and theories. correct? I dont want to confuse the issue and be all ^#@&* up trying to learn and fall victim to another GUID ban. I specifically want to make a Tag/ Aimbot hack for BF2 as well as a set of superman chams. I may be stting my goals high but I like the challenge. Thanks for the help

I dont think battlefield is capable of an aimbot is it?

I dont think battlefield is capable of an aimbot is it?

Shurely not.

Sine

I dont think battlefield is capable of an aimbot is it?
lol of course...
Shurely not.
don't dare you lie again =P

Ok,allow me to rephrase the question. As I understand if you just had a "auto aim" function but not auto shoot and re to address it to one particular weapon would this or could this be achieved without making the game "ugly"?? I wasnt refering to a "Wambot" hack. If not what would be the closest one might get to achieving such and what coding method might best be use to get there. Or cant you get there from here? LOL Thanks

dennis, just so you know....no aimbot has been acheived (that we know of) is BF2 as of yet...

dennis, just so you know....no aimbot has been acheived (that we know of) is BF2 as of yet...

Actually, there are BF2 aimbots. There was a public one released not too long ago (detected now, of course). This one inspired me to write my own, which works great. I believe SINE has written his own as well ... and I'm sure there are others.

dennis, just so you know....no aimbot has been acheived (that we know of) is BF2 as of yet...

There are a few people with aimbots for BF2, you just don't see them in the public arena.

Actually, there are BF2 aimbots. There was a public one released not too long ago (detected now, of course). This one inspired me to write my own, which works great. I believe SINE has written his own as well ... and I'm sure there are others.


Then could you please post a link to the location where it was released...:hurt:

Then could you please post a link to the location where it was released...

if indeed there is aimbots, like kosire says (he probably has one) you will surely not get a link to them.

they are private for a reason...and they are only meant for a few select people...

Seriously speaking, making an aimbot for BF2 is not only possible, but rather easy given the amount of information posted here and in other forums. First, you have posting on GD

http://forum.gamedeception.net/showthread.php?t=8645
http://forum.gamedeception.net/showthread.php?t=8627

showing how to make a client hook and how to retrieve coordinates. You have mine and others' postings here showing how to find reference for playermanager,

http://www.mpcforum.com/showthread.php?t=138572
http://www.mpcforum.com/showthread.php?t=134424

and also how to retrieve roll, yaw and pitch - which was not described in Patrick's posting. You have a lot of postings on how to simulate mouse clicks and moves. You even have quite a lot to choose from as far as writing aiming routines is concerned. You have DC's StructBuilder. I mean, what else would one need to create an aimbot? Making a really stealthy one is a challenge, but making a private one is no longer with that info floating around.

cheers
Sine